Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Agile security

How to apply security in an agile environment. Using old frameworks in an agile environment fails. By using a new model and an agile aligned security strategy, information security can be integrated into agile development projects.

Agile security

1.
Agile Security
Can infosec keep up with agile?
www.i-to-i.nl
A new security
management approach
for agile environments
www.agilesecurity.nl

2.
dfdd
+ 31-6-53315102
arthur@1secure.nl
www.1secure.nl
Arthur Donkers
Security Officer
Interested in info sec, technology, organisation
and combining these all into one solution Critical
Security Architect Trainer for PECB (ISO27001,
27005, 31000) Convinced that Infosec is a means
to an end, not a purpose in itself.
Pascal de Koning
Has a security manager role at several companies.
His passion is to make security an integrated part of
IT. Was lead author of the TOGAF Security Guide
(2016). He also initiated the Security Service
Catalogue project, a joint effort of The Open Group
and The SABSA Institute.
Senior Security Consultant
p.de.koning@i-to-i.nl
+31-6-29525365
www.i-to-i.nl

3.
Agenda
• Four false assumptions that make the
traditional security approach fail
• ‘Feet in the mud’ with the Agile Security
Engagement Model (ASEM)
• Explanation of the innovations in this Agile
Security approach

4.
Why?
System and application development is moving
towards agile and a continuous delivery model.

11.
Misalignment
Agile and security frameworks do not cooperate
easily because of 4 ‘assumptions’

12.
Assumption #1
The agile project is capable of translating the
generic security requirements to specific controls
This fails because:
• Agile team has other priorities
• Agile team has limited resources
• Agile team has a strict timeline
• Agile team finds security boring

13.
Assumption #2
The agile team has the expertise and knowledge to
build secure solutions
This fails because:
• Agile team (often) does not have the skills or
expertise
• Agile team is not always aware of requirements
• Agile team is not aware of security vulnerabilities
• Agile team has no tools and methodologies

14.
Assumption #3
There is sufficient time and money to perform a
security test and process all of the
recommendations.
This fails because:
• Continuous delivery has no clear test phase
• Focus on functional testing
• Shifting focus, only clear at start of the sprint

15.
Assumption #4
There is sufficient time and money to identify
and address all security risks
This fails because:
• Serious time constraints
• Not enough people and resources
• Culture clash

22.
As a senior manager, I want to be sure that access to customer data is restricted so
that I won’t risk a fine of 800.000 euro in case of leakage of privacy-sensitive data.
As a senior manager, I want to be able to report to the regulatory board that this
application is free of technical vulnerabilities, so that we keep our license to operate.
Security-related user stories
As a customer, I want to be sure that the credit card data that I provide for payments
are processed and stored securely, so that access by third parties or hackers is
impossible.
Etc.

26.
Set up a security service catalogue
• Provide re-usable operational security services
to the development team
• Provide re-usable security patterns
• Manage these via a security catalog (see next
slide)

32.
Continuous Monitoring
• Continuous security monitoring of the
development process!
• Define Key Risk Indicators and Quality Controls
at the detail level of the development process
(e.g. OWASP secure coding standard).
This step is NOT a SIEM or other Event
Monitoring service!